platform_system_sepolicy/vold.te
Stephen Smalley 273d7ea4ca Label block devices created or accessed by vold with specific types.
Assign a more specific type than block_device to all
block devices created or accessed by vold.   Allow vold
to set the context on the device nodes it creates.

vold can create extra loop devices (/dev/block/loopN) and
block devices for volumes it manages (/dev/block/vold/M:N).

vold can read/write device mapper block devices (/dev/block/dm-N)
created for encrypted volumes.

vold can read/write metadata partitions used to store encryption metadata.
The metadata_block_device type should be assigned in device-specific
policy to the partition specified by the encryptable= mount option
for the userata entry in the fstab.<board> file.

This change does not remove the ability to create or read/write
generic block_device devices by vold, so it should not break anything.
It does add an auditallow statement on such accesses so that we can track
remaining cases where we need to label such device nodes so that we can
ultimately remove this access.

Change-Id: Id3bea28f5958086716cd3db055bea309b3b5fa5a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-02 13:29:25 +00:00

103 lines
3.3 KiB
Text

# volume manager
type vold, domain;
type vold_exec, exec_type, file_type;
init_daemon_domain(vold)
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file x_file_perms;
allow vold block_device:dir create_dir_perms;
allow vold block_device:blk_file create_file_perms;
auditallow vold block_device:blk_file create_file_perms;
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;
allow vold rootfs:dir mounton;
allow vold sdcard_type:dir mounton;
allow vold sdcard_type:filesystem { mount remount unmount };
allow vold sdcard_type:dir create_dir_perms;
allow vold sdcard_type:file create_file_perms;
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
allow vold loop_device:blk_file create_file_perms;
allow vold vold_device:blk_file create_file_perms;
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
allow vold domain:process { signal sigkill };
allow vold self:capability { sys_ptrace kill };
# For blkid
allow vold shell_exec:file rx_file_perms;
# XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms;
write_klog(vold)
# Run fsck.
allow vold fsck_exec:file rx_file_perms;
# Log fsck results
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
#
# Rules to support encrypted fs support.
#
# Set property.
unix_socket_connect(vold, property, init)
# Unmount and mount the fs.
allow vold labeledfs:filesystem { mount unmount remount };
# Access /efs/userdata_footer.
# XXX Split into a separate type?
allow vold efs_file:file rw_file_perms;
# Create and mount on /data/tmp_mnt.
allow vold system_data_file:dir { create rw_dir_perms mounton };
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
# Property Service
allow vold vold_prop:property_service set;
allow vold powerctl_prop:property_service set;
allow vold ctl_fuse_prop:property_service set;
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
security_access_policy(vold)
allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom relabelto };
allow vold asec_public_file:dir { relabelto setattr };
allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
allow vold asec_public_file:file { relabelto setattr };
# restorecon files in asec containers created on 4.2 or earlier.
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
# Handle wake locks (used for device encryption)
wakelock_use(vold)
# talk to batteryservice
binder_use(vold)
binder_call(vold, healthd)
# talk to keymaster
allow vold tee_device:chr_file rw_file_perms;
# Access userdata block device.
allow vold userdata_block_device:blk_file rw_file_perms;
# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms;